Gimme a Brekka!: Deciphering “Authorization” Under the CFAA and How Employers Can Protect Their Data

Federal circuit courts offer conflicting interpretations of when an employee violates the Computer Fraud and Abuse Act (CFAA) by accessing an employer’s computer system without authorization. Enacted originally as an anti-hacker statute, the language of the CFAA proves ambiguous when courts attempt to apply its sanctions to individuals given access to a computer (such as an employee by an employer). Circuit Courts have interpreted the statute differently, generally applying one of two theories to reach their interpretations: (1) agency theory; or (2) looking to the plain language of the statute and the rule of lenity. These differing interpretations have resulted in varying outcomes when employers seek to sanction employees for violating the Act. Employers face tough questions about when and how to seek sanctions when employees potentially violate their rights of computer access. This Article takes an in-depth look at the varying interpretations among the circuits and considers a number of district court cases and their application of the CFAA.